I think you can choose a different Value for eap_identity, but I don’t know.

Requirements for success:
A working GUI configuration in pfSense 2.2 with certificate validation. pfSense/strongSwan should accept all certs with EKU “Client Authentification” (1.3.6.1.5.5.7.3.2) created by a choosen certificate authority
The patch/code must be included into the main branch for pfSense 2.2

Edit:
working eap-tls vpn setup now possible, thank you very much ermal!

Cert requirements,

Full trust of chain (Root CA have to be installed on the client)

pfSense Server cert needs the EKU "Server Authentification", also the FQDN in the Subject Alternative Names

pfSense Client Cert needs the EKU "Client Authentification", also the CN name as a FQDN in the SAN

Is pfSense the issuer of these certificates.
I think that all the client certs should be present in the certificate repository of pfSense, at least the public component.
After i will put all these public parts to be trusted by strongswan.
Not sure why strongswan has this requirement but seems the better way.

Can you do the test to put the peer certificate on the /var/etc/ipsec/ipsec.d/cer* and see if that fixes it with eap_identify = %identity?

Jan 15 22:15:53 charon: 07[IKE] configured EAP-only authentication, but peer does not support it
Jan 15 22:15:53 charon: 07[IKE] <con3|43>configured EAP-only authentication, but peer does not support it

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.